Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
Summary
Hide ▲
Show ▼
A fake enterprise VPN installer is now delivering Hyrax infostealer components that steal VPN credentials and maintain persistence on Windows systems. The operation matters because it disguises itself as legitimate VPN software, captures login data, and can keep reusing infected hosts for follow-on access.
Related Happenings
SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
H score24
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
About this happening:
The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
SilabRAT session-hijacking crypto-draining malware activity
Malware ActivityAbout this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Fake Claude PlugX phishing campaign
Campaign
H score34
First: 13.04.2026 12:52
Last: 13.04.2026 12:52
Sources 1
About this happening:
A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Fake Claude PlugX phishing campaign
CampaignAbout this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Latest development: 07.05.2026 13:02
A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
H score38
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Timeline
-
13.03.2026 15:23 2 articles · 3mo ago
Microsoft details Storm-2561 fake VPN credential-theft campaign
Technical Analysis UpdateMicrosoft detailed a Storm-2561 campaign that used SEO poisoning and spoofed enterprise VPN download pages for Ivanti, Cisco, Fortinet, and other vendors to lure users to a fake GitHub-hosted MSI installer. When executed, the installer dropped `Pulse.exe`, `dwmapi.dll`, and `inspector.dll`, stole VPN credentials and `connectionsstore.dat`, persisted through the Windows `RunOnce` registry key, showed an installation error to reduce suspicion, and redirected victims to the legitimate vendor site; Microsoft also published IoCs and hunting guidance.
Show sources
- Fake enterprise VPN downloads used to steal company credentials — www.bleepingcomputer.com — 13.03.2026 15:23
- Fake enterprise VPN downloads used to steal company credentials — www.bleepingcomputer.com — 13.03.2026 15:23